On February 3, 2026, the Ministry of Industry and Information Technology (MIIT), along with seven other national ministries, published the Guidelines on the Security of Cross-border Transfer of Automotive Data (2026 version), which aligns with China’s core legal frameworks, including the Data Security Law, the Cybersecurity Law (2025 Amendment), the Personal Information Protection Law, and the Regulation on Network Data Security Management. The Guidelines seek to refine management protocols for cross-border automotive data flows and promote secure, efficient data transmission.
The Guidelines apply to automotive data processors, including manufacturers, parts suppliers, and autonomous driving service providers. Data cross-border transfer activities are clearly defined as: transferring data collected and produced within China’s territory overseas; overseas organizations or individuals querying, accessing, or downloading data stored within China; and processing personal information of domestic individuals overseas. Based on data type and volume, 3 data transfer management pathways are established:
- Application for Security Assessment: Mandatory for transfers involving important data, or when the cumulative annual provision overseas exceeds 1 million individuals’ personal information (excluding sensitive personal information) or exceeds 10,000 individuals’ sensitive personal information.
- Standard Contracts or Certification for the cross-border transfer of personal information: Applicable when the cumulative annual provision overseas ranges from 100,000 to 1 million individuals’ personal information (excluding sensitive personal information) or involves fewer than 10,000 individuals’ sensitive personal information.
- Exemptions: Includes 9 specific scenarios such as cross-border transactions, cross-border human resource management, emergencies, and security vulnerability patching, provided the data transferred does not include important data.
Moreover, the Guidelines provide detailed criteria for identifying important data across various scenarios like R&D, manufacturing, autonomous driving, and software update services. This includes data related to national key R&D programs, sensitive areas (e.g., military administration zones), economic operation statistics, large-scale vehicle or personnel information, and sensitive geographic information. Specific data categories cover bills of materials, test scenario data, control program source code, algorithm parameters, location trajectories, and charging data, etc.
The data transfer procedure encompasses steps including data identification, conducting security assessments, filing standard contracts, and applying for certification. To ensure compliance, processors must establish dedicated departments, designated officers, and internal approval mechanisms for data transfers. Technically, encryption and identity authentication are required to secure transmissions, with network traffic and operation logs retained for at least three years. Organizations must also develop emergency response capabilities to address unauthorized transfers and report incidents to regulators promptly.
In contrast to the EU’s Data Act, which prioritizes in-market data access rights, the Guidelines centers on outbound security, providing multinationals with clear compliance pathways through tiered controls and explicit definitions of important data. For long-established European automakers in China, this necessitates a strategic pivot toward localized data processing coupled with tightly managed cross-border flows. In the near term, companies should invest in mapping their data assets to meet filing requirements. Long term, those who get compliance first will stand out as trusted players in China’s vast connected-car market. Balancing China’s security imperatives with the EU’s user empowerment mandate will ultimately emerge as the defining test of global automakers’ data governance capabilities.
Source: https://wap.miit.gov.cn/zwgk/zcwj/wjfb/tz/art/2026/art_bf7894e87df640c5be83ffe3ce0a2c40.html
